Lecture 3,4: Multiparty Computation
|
|
- Edwin Elliott
- 6 years ago
- Views:
Transcription
1 CS 276 Cryptography January 26/28, 2016 Lecture 3,4: Multiparty Computation Instructor: Sanjam Garg Scribe: Joseph Hui 1 Constant-Round Multiparty Computation Last time we considered the GMW protocol, which gives us an algorithm for securely evaluating any circuit C (x 1, x 2,..., x n ) where each party p i, i {1...n} has a part of the input x i. One issue with this protocol is that it may take a very large number of rounds, dependent on the depth of the circuit, because each gate must be evaluated in a topological order. Let s consider some ideas to fix this problem. Currying Let s consider one simple idea that doesn t work. If we have a circuit C (x 1, x 2,..., x n ), we can curry the inputs to get a new circuit, say C, that takes in only one input and itself outputs a circuit. Then the next circuit also takes one input and outputs a circuit, and so on, so that C (x 1 ) (x 2 ) (x 3 )... (x n ) = C (x 1...x n ). So Alice passes Bob a garbled version of C (x 1 ); Bob passes Carol a garbled version of C (x 1 ) (x 2 ); etc. However, this approach cannot possibly work. The reason is that Bob can just simulate Carol, David, etc. in his head, and thus compute C (x 1, x 2,..., x n ) for any values of x 3...x n that he might choose. Rounds independent of circuit depth Now let s consider an idea that will reduce the round complexity, from depending on circuit depth to independent of circuit depth. The GMW protocol evaluates a circuit C (x 1,...x n ) and takes a number of rounds proportional to the circuit depth of C. C may be very deep, but can we find some other, shallower circuit that we can feed into the GMW protocol, that nevertheless allows us to perform the desired computation? Indeed, we can. Instead of computing the value C (x 1,...x n ) itself, we will securely compute a garbled version of C; and each party will be able to use the garbled C to compute the desired value. Recall Yao s protocol. We defined a ppt algorithm, Garble, such that Garble (C, ω, x) for some randomness ω and input x gives us a garbled circuit C (syntactically, a set of encrypted bitstrings and a translation table). C, combined with the appropriate labels for x and some input y, can then be used to evaluate C (x, y). In particular, we can let y be empty. Then this gives a garbled circuit C that, when combined with the appropriate labels for x, produces C (x). Consider the algorithm D (, ) = Garble C (, ) which actually performs this garbling operation. It takes as input some randomness, and some concatenated inputs x 1, x 2,..., x n. Actually, let s say it takes in ω 1...ω n and computes ω = i ω i to use as its randomness (so that if any player is uncorrupted, the randomness will be truly random). It outputs a garbled circuit C and some labels - encryption keys for each input wire. Now, note that D can be parallelized - the encryptions for each gate can be computed completely independently of every other gate, so the circuit depth does not grow with the circuit depth of C. After all, what does D do? First it has to XOR all the randomness together - this takes circuit depth O (n) (or even O (log n)). Now its only job is to use 3,4-1
2 some encryption keys (which it reads off from the randomness) to encrypt some other encryption keys (ditto). Each key is encrypted twice, as before. So the circuit depth is O (log n), plus the circuit depth of two encryptions, and it is independent of C. Note that the encryption circuit may increase in depth with the security parameter. Let s review. We know how to use GMW to evaluate a circuit C, but it takes rounds proportional to the circuit depth C. Instead of C, we consider another circuit D. D has circuit depth independent of C (dependent only on the number of players and the security parameter). Each player generates randomness ω i, and we use the GMW protocol to securely compute D (ω 1, x 1,..., ω n, x n ), that is, C labels x1,...,x n. Each player now has access to the garbled circuit C as well as the appropriate input labels; and each player simply evaluates the garbled circuit using the input labels, thus computing the answer C (x 1,...x n ). Security follows easily. The GMW guarantees that each player learns nothing except the output, i.e. C plus the input labels. And, in turn, Yao s protocol guarantees that using C and the input labels, each player can learn nothing except the output. So each player learns nothing except the output, and we are done. Constant rounds: BMR protocol The above protocol still has round complexity dependent on the security parameter. We would like constant round complexity (assuming the number of players is constant). We will use the same idea as before: use GMW, but instead of computing the answer, compute a garbled circuit, which in turn may be used to compute the answer. The difference is in the encryption that the garbled circuit will use. Before, we used a generic encryption circuit, whose depth might grow with the security parameter. Now, we use a specific encryption scheme which we will define, and this will also require us to change our protocol in some ways. Recall the simple one-time pad PRG encryption scheme: Alice and Bob have a shared key k and a PRG G; and Alice simply sends a message m G (k), whereas Bob XORs the message with G (k) to recover it. We will use this as our encryption scheme. Now, we must be extremely careful about what computation we secure with the GMW protocol. Including any sort of complex computation, such as the computation of G (k), will increase circuit depth. So, we will take great pains to keep every possible computation out of GMW; the only thing that GMW will do is to securely combine keys for us by XOR-ing them together. The garbled circuit structure is similar to Yao s construction. We have a circuit with some gates and wires. Each wire has four keys: two 0-keys and two 1-keys, which we call p 0, q 0, p 1, q 1 respectively. Each gate has four encryptions, one for each possible output. Suppose we have a gate with input wire α with value 1, and input wire β with value 0, and output wire γ (which happens to be an AND gate, so it has value 1 0 = 0). Then we XOR one of α s 1-keys, one of β s 0-keys, and one of the encryptions. Whether we will use p or q depends on the encryption; we will use pp, pq, qp, qq once each. The reason we have two 0-keys (p and q) instead of just one, as in Yao s construction, is because we are using the XOR operation, and reusing keys would allow an attacker to discover correlations between the encrypted messages. This gives us the 0-keys for the output wire γ (actually it gives us a seed key, which we can use to generate the appropriate keys). Now, let s describe the protocol. 1. First, each player samples two keys and a blind bit for each wire (either by just sampling 3,4-2
3 them randomly, or by sampling a κ-bit string s and using it as the seed of a PRF). This gives (k0 ω (i), kω 1 (i), λω i ). The seed key for a wire ω with bit b is the concatenation of each player s keys, key ω b = kb ω (1)... kω b (n), and the blind bit for a wire ω is the XOR of each player s blind bits, λ ω = λ ω 1... λω n. The blind bit is necessary because each player will eventually learn the correct computation on the garbled circuit, which includes knowing which of her keys was used on each wire. If she knows how her keys correspond with 0 and 1, then she could figure out the value of each wire. The blind bit will be used to randomize the relationship, so that this does not happen. 2. Each player actually generates keys. Specifically, it uses the PRG to generate p ω b (i), qω b (i) = G (kb ω (i)), the two keys for bit b on wire ω. Each key is length nκ for a total of 2nκ bits. 3. The players run a GMW protocol to compute four encryptions for each gate. As with the previous construction, each gate can be parallelized. Considering a gate g with input wires α, β and output γ, each player feeds the values (p α b (i), qα b (i)), ( p β b (i), qβ b (i) ); λ α i, λβ i, λγ i ; k γ b (i) into the protocol. That is, she feeds in the 0- and 1-keys for the input wires, all the blind bits, and her keys for the output wire. The protocol then computes p α λ α x (i) p β λ β y (i) keyγ g(x,y) λ for x, y = 0, 0; then the same with p, q for x, y = 0, 1, then with q, p for γ x, y = 1, 0, and finally with q, q for x, y = 1, 1. That is, for each possible value on the input wires, it computes the XOR of the appropriate keys with the output wire s key corresponding to the correct output value, all with the appropriate blinding. How is such a computation carried out? Given specific values of α, β, γ, x, y, the circuit can compute this value by simply performing O (n) XOR operations on the blind bits, keys, and the values k γ b (i). Thus it can be carried out with constant circuit depth and the GMW protocol can be carried out in a constant number of rounds. 4. Each player broadcasts λ ω i, kω b (i) for everyone else s input wires. Now, if we consider (say) a wire ω that corresponds to player 1 s (Alice s) input, she has been sent λ ω i for all i 2...n. In addition, she knows λ ω 1 because she generated it. So she knows the value of λω 1. On the other hand, player 2 does not know this value, because she does not know the value of λ ω 1 ; Alice did not send it to her. 5. Now each player knows the blind bits for her input wires alone. Since she also knows the actual value of her input, she knows which key should be used in the computation. Thus, she broadcasts the keys for her own input wires. Specifically, if the j-th bit of player i s input goes on wire ω, she broadcasts k ω (x i [j]) λ ω. This concludes the protocol. Lecture 4: IT-Secure Multiparty Computation We have now seen protocols for secure multiparty computation. However, these protocols relied on computational hardness assumptions. In fact, we can construct protocols that are informationtheoretically secure, even against unbounded adversaries. The drawback of this approach is that we will not be able to guarantee security if almost all parties are corrupted by the adversary. We will be able to guarantee security only if at most some constant fraction is corrupted. 3,4-3
4 One protocol, the CCD protocol, accomplishes this task, but we will not be looking at it as it only guarantees statistical security. Instead, we look at the BGW protocol, which guarantees perfect security against t adversaries. In the semi-honest case, it can protect against t adversaries as long as t < n 2 ; in the malicious case, as long as t < n 3. A result by Rabin and Ben-Or also provides a construction against t < n 2 malicious corruptions, assuming the presence of a broadcast channel, and providing statistical security. The basic idea that we will use is secret sharing. A secret sharing scheme works as follows. A dealer has a bit b, and she wants to give shares a 1...a n to players p 1...p n such that the players can recover b as long as they all come together and share their values of a i. This is an n-out-of-n scheme, since all n players need to cooperate; we can also define t-out-of-n schemes, in which only t players need to cooperate. Note that we used this same idea in GMW. GMW had three stages: 1. Secret sharing: each party acts as a dealer and secret-shares a bit b for each of its input wires, by dealing out bits a i such that i a i = b. 2. Computation: For each gate, the parties securely combined their shares for the input wires to produce shares for the output wire. 3. Reconstruction: All parties revealed their shares for the output wire to recover the desired result. In the BGW protocol, we will use a t-out-of-n secret-sharing scheme, called Shamir s Secret Sharing. The scheme works as follows. Consider a field F (e.g. the integers modulo a prime) with F > n, and n distinct nonzero values α 1, α 2,..., α n F. Sample a random polynomial p (x) of degree t such that p (0) = s, the secret to be shared. Now given t + 1 points of the polynomial, we can uniquely determine the polynomial and evaluate it at 0 to recover the secret (this is covered in e.g. CS70). Given t points of the polynomial, every value of the secret is equally likely and thus we gain zero information about it. Now that we ve decided on how to share secrets, let s consider the computation phase. We have a function to evaluate, which can be expressed as a circuit composed of addition and multiplication gates (over the field). We ll consider a gate, with two inputs, p (0) and q (0), encoded in two randomy polynomials p and q with shares α i, β i split among the n players. Suppose this gate is an addition gate. Then, we want to compute the shares of a third polynomial, r, such that r (0) = p (0) + q (0), and r is a random polynomial among all degree-t polynomials with this property. This is simple: our output polynomial is p + q with (p + q) (0) = p (0) + q (0), and each player computes her new output share as γ i = α i + β i. p + q is clearly a random polynomial (being the sum of two random polynomials) and has the desired evaluation at 0. Similarly, if this gate is a constant-multiplication gate (i.e. we want to multiply the polynomial by a fixed constant c), evaluation is also easy; everyone multiplies their share by c. How about multiplication of p (0) and q (0)? At first, this may seem easy: pq is a new polynomial that indeed satisfies (pq) (0) = p (0) q (0), so perhaps each player can just multiply their two shares. However, this doesn t work, for two reasons. First of all, the product of two random polynomials is not necessarily itself random (the distribution may be nonuniform). Secondly, the resulting polynomial will be of degree 2t, not degree t. We can fix both of these problems. First, each player i multiplies her two shares, f a (α i ) and f b (α i ), together. Now the players have shares corresponding to the polynomial pq (note that here is where 3,4-4
5 we use the assumption that 2t < n; if not, then the players do not have enough points to uniquely determine pq, and the information is lost). Now, let s fix the randomization problem through a process called rerandomization. This is easy: we can just add a random polynomial r of degree 2t, such that r (0) = 0. Any polynomial plus a random polynomial is a random polynomial, so this fixes our problem, and does not change the encoded secret. In order to add this polynomial, one party will be the dealer: she will pick the polynomial at random, generate the shares, and give them to all parties, who will then add the assigned shares to their shares. And since no one party can be trusted to be the dealer, we have every party deal in turn, in total adding n polynomials to our original polynomial. This produces a new polynomial which we will call h (x). How will we fix the degree problem? We will devise a procedure to truncate our polynomial h (x). Clearly, if we have a random polynomial of degree 2t, chopping off the highest t coefficients gives us a polynomial of degree t that is also random. All parties collectively hold shares h (α 1 )...h (α n ) of h (x), and they want to compute ĥ (α 1)...ĥ (α n) of ĥ (x) = truncate t (h (x)). This ĥ (α 1 ) h (α 1 ) can be described as a matrix operation:... = V α P T Vα V α is the matrix that ĥ (α n ) h (α n ) evaluates a degree-n polynomial, with its coefficients listed in a vector, at points α 1...α n. That is, 1 α 1... α n 1 1 V α = (verify in your head that this corresponds to polynomial evaluation). 1 α n... α n 1 n is the inverse of V α, so it converts a polynomial from point-value represen- is the truncation matrix: it is an n-by-n matrix with a t + 1-by-t + 1 identity matrix in the top left corner, and the rest all zeroes. So, we have h in point-value form; we multiply it by Vα 1 to get the coefficient form; we multiply it by P T to chop off all but the lowest t + 1 coefficients, reducing the degree; and then we multiply it by V α to put it back in coefficient representation. This produces the shares of ĥ (x) that we want. However, how do we actually perform this computation, without sharing information and thus leaking the answer? Observe that we expressed the computation as a matrix multiplication. This means that the computation is necessarily linear; that is, we can express it as ĥ (α i) = c i1 h (α 1 ) + c i2 h (α 2 ) c in h (α n ) for some known constants c ij. Then how do we compute this? Well, this computation consists solely of addition and constant-multiplication operations, which we already know how to do! So, whenever we need to do a multiplication operation, we need to do degree reduction, and we can bootstrap it by running a subprotocol that requires only additions/constant multiplications. Note that at the end of this subprotocol, players do not reveal their shares publicly; they only send their shares to the player that requires them (i.e. player i requires the shares for Correspondingly, Vα 1 tation to coefficient representation. Finally, P T ĥ (α i )). Now that we know how to perform addition and multiplication, we can carry out the evaluation of the circuit, and this completes the protocol. Malicious IT-Secure Multiparty Computation Now let s try to extend this scheme to the malicious setting. When players can act maliciously, they have many ways to break the protocol. In the computation stage, they can do all sorts of crazy things: send random garbage, send a nonzero polynomial in the rerandomization phase, etc. In the input stage, they could generate a polynomial that is of degree > t, so that different sets of 3,4-5
6 players see a different polynomial. In the reconstruction stage, they could send incorrect shares. First, let s think about how to solve the issue of sending incorrect shares in the reveal stage. Let s assume that up to this point, everyone has acted honestly. So we now have a polynomial of degree t, and we have n > 3t evaluations of it at various points, one per player. Everyone reveals their evaluation, but the resulting points may not be consistent with any degree-t polynomial. How do we fix this? The answer is simple: we use a Reed-Solomon code, which is an (n, t + 1, n t) code (n symbols, t + 1 data symbols, n t minimum distance between codewords) that corrects n t 1 2 errors. When t < n 3, this can correct t errors. For example, if t = 1 and n = 4, so that all of the points lie along a straight line, then I can look at four points and find the line that passes through them, ignoring one point that was corrupted and doesn t lie on the line. In general, the Berlekamp-Welch algorithm can be used to reconstruct the original polynomial. Secondly, let s think about how to solve the issue of the input. We ll use something called verifiable secret sharing. It works as follows: 1. The dealer D, wishing to distribute a secret s, samples a random polynomial q (x) of degree t such that q (0) = s. 2. The dealer samples a random bivariate polynomial s (x, y) of degree t (i.e. with coefficients c tt x t y t c 50 x ) such that s (0, z) = q (z). 3. The dealer sends f i (x) = s (x, α i ) and g i (y) = s (α i, y) to player i. 4. Each pair of players i, j checks that f i (α j ) = g j (α i ). If this is not the case, they complain to the dealer. Why does this work? Let s think about an intuitive argument first. Let s say the dealer is honest, but a few players are dishonest. When players i, j are communicating, j might give some incorrect value of g j (α i ). If this happens, i will complain to the dealer, reporting the value that she received. The dealer will then be able to recognize that player j is malicious, and can reveal player j s shares publicly. On the other hand, if the dealer is dishonest and gives players incorrect polynomials, this will trigger a much larger number of complaints among players; the players can then recognize that these complaints could not have arisen from malicious players alone, and conclude that the dealer is dishonest. Now, let s start working towards a proof. One basic thing we should check is that if all the players are honest, and all of the checks in step 4 pass, then there really is a unique polynomial s (x, y) consistent with all players shares. That is, a dishonest dealer cannot trick a group of honest players without being detected. Let K be the full set of all honest parties. The basic idea is that if we consider a set L of any t + 1 parties, their shares fix a specific s (x, y). Now, if their values of f are consistent with the other players values of g, this will imply that s (α k, y) = g k (y) for all k K (by definition). Similarly, we must have s (x, α i ) = f i (x) for all i K \ L. This ensures that all parties shares are consistent with s. We will go through the full proof in the next lecture. 3,4-6
Secure Multi-Party Computation. Lecture 17 GMW & BGW Protocols
Secure Multi-Party Computation Lecture 17 GMW & BGW Protocols MPC Protocols MPC Protocols Yao s Garbled Circuit : 2-Party SFE secure against passive adversaries MPC Protocols Yao s Garbled Circuit : 2-Party
More informationSecure Computation. Unconditionally Secure Multi- Party Computation
Secure Computation Unconditionally Secure Multi- Party Computation Benny Pinkas page 1 Overview Completeness theorems for non-cryptographic faulttolerant distributed computation M. Ben-Or, S. Goldwasser,
More informationLectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols
CS 294 Secure Computation January 19, 2016 Lectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols Instructor: Sanjam Garg Scribe: Pratyush Mishra 1 Introduction Secure multiparty computation
More informationBenny Pinkas. Winter School on Secure Computation and Efficiency Bar-Ilan University, Israel 30/1/2011-1/2/2011
Winter School on Bar-Ilan University, Israel 30/1/2011-1/2/2011 Bar-Ilan University Benny Pinkas Bar-Ilan University 1 What is N? Bar-Ilan University 2 Completeness theorems for non-cryptographic fault-tolerant
More informationLecture 9 and 10: Malicious Security - GMW Compiler and Cut and Choose, OT Extension
CS 294 Secure Computation February 16 and 18, 2016 Lecture 9 and 10: Malicious Security - GMW Compiler and Cut and Choose, OT Extension Instructor: Sanjam Garg Scribe: Alex Irpan 1 Overview Garbled circuits
More informationLecture 14: Secure Multiparty Computation
600.641 Special Topics in Theoretical Cryptography 3/20/2007 Lecture 14: Secure Multiparty Computation Instructor: Susan Hohenberger Scribe: Adam McKibben 1 Overview Suppose a group of people want to determine
More informationIntroduction to Cryptography Lecture 13
Introduction to Cryptography Lecture 13 Benny Pinkas June 5, 2011 Introduction to Cryptography, Benny Pinkas page 1 Electronic cash June 5, 2011 Introduction to Cryptography, Benny Pinkas page 2 Simple
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 22 November 27, 2017 CPSC 467, Lecture 22 1/43 BBS Pseudorandom Sequence Generator Secret Splitting Shamir s Secret Splitting Scheme
More informationMultiparty Computation (MPC) Arpita Patra
Multiparty Computation (MPC) Arpita Patra MPC offers more than Traditional Crypto! > MPC goes BEYOND traditional Crypto > Models the distributed computing applications that simultaneously demands usability
More informationEfficient General-Adversary Multi-Party Computation
Efficient General-Adversary Multi-Party Computation Martin Hirt, Daniel Tschudi ETH Zurich {hirt,tschudid}@inf.ethz.ch Abstract. Secure multi-party computation (MPC) allows a set P of n players to evaluate
More informationYALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467a: Cryptography and Computer Security Notes 23 (rev. 1) Professor M. J. Fischer November 29, 2005 1 Oblivious Transfer Lecture Notes 23 In the locked
More informationIntroduction to Modern Cryptography Lecture 11
Introduction to Modern Cryptography Lecture 11 January 10, 2017 Instructor: Benny Chor Teaching Assistant: Orit Moskovich School of Computer Science Tel-Aviv University Fall Semester, 2016 17 Tuesday 12:00
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 19 November 8, 2017 CPSC 467, Lecture 19 1/37 Zero Knowledge Interactive Proofs (ZKIP) ZKIP for graph isomorphism Feige-Fiat-Shamir
More informationRound-Efficient Multi-party Computation with a Dishonest Majority
Round-Efficient Multi-party Computation with a Dishonest Majority Jonathan Katz, U. Maryland Rafail Ostrovsky, Telcordia Adam Smith, MIT Longer version on http://theory.lcs.mit.edu/~asmith 1 Multi-party
More informationMultiparty Computation
Multiparty Computation Principle There is a (randomized) function f : ({0, 1} l ) n ({0, 1} l ) n. There are n parties, P 1,...,P n. Some of them may be adversarial. Two forms of adversarial behaviour:
More informationYuval Ishai Technion
Winter School on, Israel 30/1/2011-1/2/2011 Yuval Ishai Technion 1 Several potential advantages Unconditional security Guaranteed output and fairness Universally composable security This talk: efficiency
More informationPerfectly-Secure Multiplication for any t < n/3
Perfectly-Secure Multiplication for any t < n/3 Gilad Asharov 1, Yehuda Lindell 1, and Tal Rabin 2 1 Bar-Ilan University asharog@cs.biu.ac.il, lindell@biu.ac.il 2 IBM T.J. Watson Research talr@us.ibm.com
More informationCPSC 467b: Cryptography and Computer Security
Outline Authentication CPSC 467b: Cryptography and Computer Security Lecture 18 Michael J. Fischer Department of Computer Science Yale University March 29, 2010 Michael J. Fischer CPSC 467b, Lecture 18
More information2 Message authentication codes (MACs)
CS276: Cryptography October 1, 2015 Message Authentication Codes and CCA2 Instructor: Alessandro Chiesa Scribe: David Field 1 Previous lecture Last time we: Constructed a CPA-secure encryption scheme from
More informationLecture 10 - MAC s continued, hash & MAC
Lecture 10 - MAC s continued, hash & MAC Boaz Barak March 3, 2010 Reading: Boneh-Shoup chapters 7,8 The field GF(2 n ). A field F is a set with a multiplication ( ) and addition operations that satisfy
More informationLecture 11: Hash Functions, Merkle-Damgaard, Random Oracle
CS 7880 Graduate Cryptography October 20, 2015 Lecture 11: Hash Functions, Merkle-Damgaard, Random Oracle Lecturer: Daniel Wichs Scribe: Tanay Mehta 1 Topics Covered Review Collision-Resistant Hash Functions
More informationLecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures
Lecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures Boaz Barak November 27, 2007 Quick review of homework 7 Existence of a CPA-secure public key encryption scheme such that oracle
More informationCS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 10
CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky Lecture 10 Lecture date: 14 and 16 of March, 2005 Scribe: Ruzan Shahinian, Tim Hu 1 Oblivious Transfer 1.1 Rabin Oblivious Transfer
More informationLecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography
CS 7880 Graduate Cryptography September 10, 2015 Lecture 1: Perfect Secrecy and Statistical Authentication Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Definition of perfect secrecy One-time
More information6.080/6.089 GITCS Apr 15, Lecture 17
6.080/6.089 GITCS pr 15, 2008 Lecturer: Scott aronson Lecture 17 Scribe: dam Rogal 1 Recap 1.1 Pseudorandom Generators We will begin with a recap of pseudorandom generators (PRGs). s we discussed before
More informationLecture th January 2009 Fall 2008 Scribes: D. Widder, E. Widder Today s lecture topics
0368.4162: Introduction to Cryptography Ran Canetti Lecture 11 12th January 2009 Fall 2008 Scribes: D. Widder, E. Widder Today s lecture topics Introduction to cryptographic protocols Commitments 1 Cryptographic
More informationFundamental MPC Protocols
3 Fundamental MPC Protocols In this chapter we survey several important MPC approaches, covering the main protocols and presenting the intuition behind each approach. All of the approaches discussed can
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 18 November 3, 2014 CPSC 467, Lecture 18 1/43 Zero Knowledge Interactive Proofs (ZKIP) Secret cave protocol ZKIP for graph isomorphism
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2018 Secret Sharing Vault should only open if both Alice and Bob are present Vault should only open if Alice, Bob, and Charlie are
More informationLecture Notes, Week 10
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467b: Cryptography and Computer Security Week 10 (rev. 2) Professor M. J. Fischer March 29 & 31, 2005 Lecture Notes, Week 10 1 Zero Knowledge Interactive
More informationCut-and-Choose Yao-Based Secure Computation in the Online/Offline and Batch Settings
Cut-and-Choose Yao-Based Secure Computation in the Online/Offline and Batch Settings Yehuda Lindell Bar-Ilan University, Israel Technion Cryptoday 2014 Yehuda Lindell Online/Offline and Batch Yao 30/12/2014
More informationNumber theory (Chapter 4)
EECS 203 Spring 2016 Lecture 12 Page 1 of 8 Number theory (Chapter 4) Review Compute 6 11 mod 13 in an efficient way What is the prime factorization of 100? 138? What is gcd(100, 138)? What is lcm(100,138)?
More informationLecture 3: Interactive Proofs and Zero-Knowledge
CS 355 Topics in Cryptography April 9, 2018 Lecture 3: Interactive Proofs and Zero-Knowledge Instructors: Henry Corrigan-Gibbs, Sam Kim, David J. Wu So far in the class, we have only covered basic cryptographic
More informationLecture 22. We first consider some constructions of standard commitment schemes. 2.1 Constructions Based on One-Way (Trapdoor) Permutations
CMSC 858K Advanced Topics in Cryptography April 20, 2004 Lecturer: Jonathan Katz Lecture 22 Scribe(s): agaraj Anthapadmanabhan, Ji Sun Shin 1 Introduction to These otes In the previous lectures, we saw
More informationFrom Secure MPC to Efficient Zero-Knowledge
From Secure MPC to Efficient Zero-Knowledge David Wu March, 2017 The Complexity Class NP NP the class of problems that are efficiently verifiable a language L is in NP if there exists a polynomial-time
More informationEfficient Constant Round Multi-Party Computation Combining BMR and SPDZ
Efficient Constant Round Multi-Party Computation Combining BMR and SPDZ Yehuda Lindell Benny Pinkas Nigel P. Smart vishay Yanai bstract Recently, there has been huge progress in the field of concretely
More informationDiscrete Mathematics for CS Spring 2007 Luca Trevisan Lecture 11. Error Correcting Codes Erasure Errors
CS 70 Discrete Mathematics for CS Spring 2007 Luca Trevisan Lecture 11 Error Correcting Codes Erasure Errors We will consider two situations in which we wish to transmit information on an unreliable channel.
More informationWinter 2011 Josh Benaloh Brian LaMacchia
Winter 2011 Josh Benaloh Brian LaMacchia Fun with Public-Key Tonight we ll Introduce some basic tools of public-key crypto Combine the tools to create more powerful tools Lay the ground work for substantial
More informationMulti-Party Computation with Conversion of Secret Sharing
Multi-Party Computation with Conversion of Secret Sharing Josef Pieprzyk joint work with Hossein Ghodosi and Ron Steinfeld NTU, Singapore, September 2011 1/ 33 Road Map Introduction Background Our Contribution
More informationLecture 38: Secure Multi-party Computation MPC
Lecture 38: Secure Multi-party Computation Problem Statement I Suppose Alice has private input x, and Bob has private input y Alice and Bob are interested in computing z = f (x, y) such that each party
More informationLecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography
Lecture 19: (Diffie-Hellman Key Exchange & ElGamal Encryption) Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies
More informationAn Unconditionally Secure Protocol for Multi-Party Set Intersection
An Unconditionally Secure Protocol for Multi-Party Set Intersection Ronghua Li 1,2 and Chuankun Wu 1 1 State Key Laboratory of Information Security, Institute of Software, Chinese Academy of Sciences,
More informationCS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky. Lecture 4
CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky Lecture 4 Lecture date: January 26, 2005 Scribe: Paul Ray, Mike Welch, Fernando Pereira 1 Private Key Encryption Consider a game between
More informationOblivious Transfer and Secure Multi-Party Computation With Malicious Parties
CS 380S Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties Vitaly Shmatikov slide 1 Reminder: Oblivious Transfer b 0, b 1 i = 0 or 1 A b i B A inputs two bits, B inputs the index
More informationUnconditionally Secure Multiparty Set Intersection Re-Visited
Unconditionally Secure Multiparty Set Intersection Re-Visited Arpita Patra 1, Ashish Choudhary 1, and C. Pandu Rangan 1 Dept of Computer Science and Engineering IIT Madras, Chennai India 600036 arpita@cse.iitm.ernet.in,
More informationSolutions for week 1, Cryptography Course - TDA 352/DIT 250
Solutions for week, Cryptography Course - TDA 352/DIT 250 In this weekly exercise sheet: you will use some historical ciphers, the OTP, the definition of semantic security and some combinatorial problems.
More information8 Elliptic Curve Cryptography
8 Elliptic Curve Cryptography 8.1 Elliptic Curves over a Finite Field For the purposes of cryptography, we want to consider an elliptic curve defined over a finite field F p = Z/pZ for p a prime. Given
More information1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2
Contents 1 Recommended Reading 1 2 Public Key/Private Key Cryptography 1 2.1 Overview............................................. 1 2.2 RSA Algorithm.......................................... 2 3 A Number
More informationLecture 18: Zero-Knowledge Proofs
COM S 6810 Theory of Computing March 26, 2009 Lecture 18: Zero-Knowledge Proofs Instructor: Rafael Pass Scribe: Igor Gorodezky 1 The formal definition We intuitively defined an interactive proof to be
More informationRSA RSA public key cryptosystem
RSA 1 RSA As we have seen, the security of most cipher systems rests on the users keeping secret a special key, for anyone possessing the key can encrypt and/or decrypt the messages sent between them.
More informationCryptography and RSA. Group (1854, Cayley) Upcoming Interview? Outline. Commutative or Abelian Groups
Great Theoretical Ideas in CS V. Adamchik CS 15-251 Upcoming Interview? Lecture 24 Carnegie Mellon University Cryptography and RSA How the World's Smartest Company Selects the Most Creative Thinkers Groups
More information1 Indistinguishability for multiple encryptions
CSCI 5440: Cryptography Lecture 3 The Chinese University of Hong Kong 26 September 2012 1 Indistinguishability for multiple encryptions We now have a reasonable encryption scheme, which we proved is message
More information1 Secure two-party computation
CSCI 5440: Cryptography Lecture 7 The Chinese University of Hong Kong, Spring 2018 26 and 27 February 2018 In the first half of the course we covered the basic cryptographic primitives that enable secure
More informationLecture 28: Public-key Cryptography. Public-key Cryptography
Lecture 28: Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies on the fact that the adversary does not have access
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2018 Identification Identification Non- Repudiation Consider signature- based C- R sk ch=r res = Sig(vk,ch) Bob can prove to police
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 16 March 19, 2012 CPSC 467b, Lecture 16 1/58 Authentication While Preventing Impersonation Challenge-response authentication protocols
More informationFast Large-Scale Honest-Majority MPC for Malicious Adversaries
Fast Large-Scale Honest-Majority MPC for Malicious Adversaries Koji Chida 1, Daniel Genkin 2, Koki Hamada 1, Dai Ikarashi 1, Ryo Kikuchi 1, Yehuda Lindell 3, and Ariel Nof 3 1 NTT Secure Platform Laboratories,
More informationTheory of Computation Chapter 12: Cryptography
Theory of Computation Chapter 12: Cryptography Guan-Shieng Huang Dec. 20, 2006 0-0 Introduction Alice wants to communicate with Bob secretely. x Alice Bob John Alice y=e(e,x) y Bob y??? John Assumption
More informationLecture 10. Public Key Cryptography: Encryption + Signatures. Identification
Lecture 10 Public Key Cryptography: Encryption + Signatures 1 Identification Public key cryptography can be also used for IDENTIFICATION Identification is an interactive protocol whereby one party: prover
More informationRealistic Failures in Secure Multi-Party Computation
Realistic Failures in Secure Multi-Party Computation Vassilis Zikas 1, Sarah Hauser 2, and Ueli Maurer 1 Department of Computer Science, ETH Zurich, 8092 Zurich, Switzerland 1 {vzikas,maurer}@inf.ethz.ch,
More informationPERFECT SECRECY AND ADVERSARIAL INDISTINGUISHABILITY
PERFECT SECRECY AND ADVERSARIAL INDISTINGUISHABILITY BURTON ROSENBERG UNIVERSITY OF MIAMI Contents 1. Perfect Secrecy 1 1.1. A Perfectly Secret Cipher 2 1.2. Odds Ratio and Bias 3 1.3. Conditions for Perfect
More informationLecture 22: RSA Encryption. RSA Encryption
Lecture 22: Recall: RSA Assumption We pick two primes uniformly and independently at random p, q $ P n We define N = p q We shall work over the group (Z N, ), where Z N is the set of all natural numbers
More informationMultiparty Computation, an Introduction
Multiparty Computation, an Introduction Ronald Cramer and Ivan Damgård Lecture Notes, 2004 1 introduction These lecture notes introduce the notion of secure multiparty computation. We introduce some concepts
More informationOblivious Evaluation of Multivariate Polynomials. and Applications
The Open University of Israel Department of Mathematics and Computer Science Oblivious Evaluation of Multivariate Polynomials and Applications Thesis submitted as partial fulfillment of the requirements
More informationSELECTED APPLICATION OF THE CHINESE REMAINDER THEOREM IN MULTIPARTY COMPUTATION
Journal of Applied Mathematics and Computational Mechanics 2016, 15(1), 39-47 www.amcm.pcz.pl p-issn 2299-9965 DOI: 10.17512/jamcm.2016.1.04 e-issn 2353-0588 SELECTED APPLICATION OF THE CHINESE REMAINDER
More informationNotes 10: Public-key cryptography
MTH6115 Cryptography Notes 10: Public-key cryptography In this section we look at two other schemes that have been proposed for publickey ciphers. The first is interesting because it was the earliest such
More informationDiscrete Mathematics and Probability Theory Spring 2016 Rao and Walrand Discussion 6A Solution
CS 70 Discrete Mathematics and Probability Theory Spring 2016 Rao and Walrand Discussion 6A Solution 1. Polynomial intersections Find (and prove) an upper-bound on the number of times two distinct degree
More informationQuantum Error Correcting Codes and Quantum Cryptography. Peter Shor M.I.T. Cambridge, MA 02139
Quantum Error Correcting Codes and Quantum Cryptography Peter Shor M.I.T. Cambridge, MA 02139 1 We start out with two processes which are fundamentally quantum: superdense coding and teleportation. Superdense
More informationDiscrete Mathematics and Probability Theory Fall 2014 Anant Sahai Note 7
EECS 70 Discrete Mathematics and Probability Theory Fall 2014 Anant Sahai Note 7 Polynomials Polynomials constitute a rich class of functions which are both easy to describe and widely applicable in topics
More informationSecret sharing schemes
Secret sharing schemes Martin Stanek Department of Computer Science Comenius University stanek@dcs.fmph.uniba.sk Cryptology 1 (2017/18) Content Introduction Shamir s secret sharing scheme perfect secret
More informationFast Cut-and-Choose Based Protocols for Malicious and Covert Adversaries
Fast Cut-and-Choose Based Protocols for Malicious and Covert Adversaries Yehuda Lindell Dept. of Computer Science Bar-Ilan University, Israel lindell@biu.ac.il February 8, 2015 Abstract In the setting
More informationSecure Multiplication of Shared Secrets In The Exponent
Secure Multiplication of Shared Secrets In The Exponent Rosario Gennaro Mario Di Raimondo May 26, 2003 Abstract We present a new protocol for the following task. Given tow secrets a, b shared among n players,
More informationComputing on Encrypted Data
Computing on Encrypted Data COSIC, KU Leuven, ESAT, Kasteelpark Arenberg 10, bus 2452, B-3001 Leuven-Heverlee, Belgium. August 31, 2018 Computing on Encrypted Data Slide 1 Outline Introduction Multi-Party
More informationLecture 9 - Symmetric Encryption
0368.4162: Introduction to Cryptography Ran Canetti Lecture 9 - Symmetric Encryption 29 December 2008 Fall 2008 Scribes: R. Levi, M. Rosen 1 Introduction Encryption, or guaranteeing secrecy of information,
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More informationEntanglement and information
Ph95a lecture notes for 0/29/0 Entanglement and information Lately we ve spent a lot of time examining properties of entangled states such as ab è 2 0 a b è Ý a 0 b è. We have learned that they exhibit
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 11 October 7, 2015 CPSC 467, Lecture 11 1/37 Digital Signature Algorithms Signatures from commutative cryptosystems Signatures from
More informationParallel Coin-Tossing and Constant-Round Secure Two-Party Computation
Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation Yehuda Lindell Dept. of Computer Science and Applied Math. The Weizmann Institute of Science Rehovot 76100, Israel. lindell@wisdom.weizmann.ac.il
More informationMidterm 2. Your Exam Room: Name of Person Sitting on Your Left: Name of Person Sitting on Your Right: Name of Person Sitting in Front of You:
CS70 Discrete Mathematics and Probability Theory, Fall 2018 Midterm 2 8:00-10:00pm, 31 October Your First Name: SIGN Your Name: Your Last Name: Your SID Number: Your Exam Room: Name of Person Sitting on
More informationLecture 15: Interactive Proofs
COM S 6830 Cryptography Tuesday, October 20, 2009 Instructor: Rafael Pass Lecture 15: Interactive Proofs Scribe: Chin Isradisaikul In this lecture we discuss a new kind of proofs that involves interaction
More informationSecret Sharing Schemes
Secret Sharing Schemes 1.1 Introduction 1 1 Handling secret has been an issue of prominence from the time human beings started to live together. Important things and messages have been always there to
More informationLecture 1. 1 Introduction. 2 Secret Sharing Schemes (SSS) G Exposure-Resilient Cryptography 17 January 2007
G22.3033-013 Exposure-Resilient Cryptography 17 January 2007 Lecturer: Yevgeniy Dodis Lecture 1 Scribe: Marisa Debowsky 1 Introduction The issue at hand in this course is key exposure: there s a secret
More informationLecture 5, CPA Secure Encryption from PRFs
CS 4501-6501 Topics in Cryptography 16 Feb 2018 Lecture 5, CPA Secure Encryption from PRFs Lecturer: Mohammad Mahmoody Scribe: J. Fu, D. Anderson, W. Chao, and Y. Yu 1 Review Ralling: CPA Security and
More informationLecture Notes, Week 6
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467b: Cryptography and Computer Security Week 6 (rev. 3) Professor M. J. Fischer February 15 & 17, 2005 1 RSA Security Lecture Notes, Week 6 Several
More informationNotes on Zero Knowledge
U.C. Berkeley CS172: Automata, Computability and Complexity Handout 9 Professor Luca Trevisan 4/21/2015 Notes on Zero Knowledge These notes on zero knowledge protocols for quadratic residuosity are based
More informationLecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem
CS 276 Cryptography Oct 8, 2014 Lecture 11: Non-Interactive Zero-Knowledge II Instructor: Sanjam Garg Scribe: Rafael Dutra 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian
More informationDiscrete Mathematics and Probability Theory Fall 2013 Vazirani Note 6
CS 70 Discrete Mathematics and Probability Theory Fall 2013 Vazirani Note 6 Error Correcting Codes We will consider two situations in which we wish to transmit information on an unreliable channel. The
More informationPublic-Key Cryptosystems CHAPTER 4
Public-Key Cryptosystems CHAPTER 4 Introduction How to distribute the cryptographic keys? Naïve Solution Naïve Solution Give every user P i a separate random key K ij to communicate with every P j. Disadvantage:
More informationA New Approach to Practical Secure Two-Party Computation. Jesper Buus Nielsen Peter Sebastian Nordholt Claudio Orlandi Sai Sheshank
A New Approach to Practical Secure Two-Party Computation Jesper Buus Nielsen Peter Sebastian Nordholt Claudio Orlandi Sai Sheshank Secure Two-Party Computation Alice has an input a {0,1} * Bob has an input
More informationLecture 15 and 16: BCH Codes: Error Correction
CS681 Computational Number Theory Lecture 15 and 16: BCH Codes: Error Correction Instructor: Piyush P Kurur Scribe: Ramprasad Saptharishi Overview In these two lectures, we shall see how error correction
More informationCryptography. P. Danziger. Transmit...Bob...
10.4 Cryptography P. Danziger 1 Cipher Schemes A cryptographic scheme is an example of a code. The special requirement is that the encoded message be difficult to retrieve without some special piece of
More informationDistributed Oblivious RAM for Secure Two-Party Computation
Seminar in Distributed Computing Distributed Oblivious RAM for Secure Two-Party Computation Steve Lu & Rafail Ostrovsky Philipp Gamper Philipp Gamper 2017-04-25 1 Yao s millionaires problem Two millionaires
More informationLecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004
CMSC 858K Advanced Topics in Cryptography February 24, 2004 Lecturer: Jonathan Katz Lecture 9 Scribe(s): Julie Staub Avi Dalal Abheek Anand Gelareh Taban 1 Introduction In previous lectures, we constructed
More informationA Verifiable 1-out-of-n Distributed Oblivious Transfer Protocol
A Verifiable 1-out-of-n Distributed Oblivious Transfer Protocol Christian L F Corniaux and Hossein Ghodosi James Cook University, Townsville QLD 4811, Australia chriscorniaux@myjcueduau, hosseinghodosi@jcueduau
More informationRobust Non-Interactive Multiparty Computation Against Constant-Size Collusion
Robust Non-Interactive Multiparty Computation Against Constant-Size Collusion Fabrice Benhamouda, Hugo Krawczyk, and Tal Rabin IBM Research, Yorktown Heights, US Abstract. Non-Interactive Multiparty Computations
More informationCSA E0 312: Secure Computation September 09, [Lecture 9-10]
CSA E0 312: Secure Computation September 09, 2015 Instructor: Arpita Patra [Lecture 9-10] Submitted by: Pratik Sarkar 1 Summary In this lecture we will introduce the concept of Public Key Samplability
More information14 Diffie-Hellman Key Agreement
14 Diffie-Hellman Key Agreement 14.1 Cyclic Groups Definition 14.1 Example Let д Z n. Define д n = {д i % n i Z}, the set of all powers of д reduced mod n. Then д is called a generator of д n, and д n
More informationNotes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.
COS 533: Advanced Cryptography Lecture 2 (September 18, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Mark Zhandry Notes for Lecture 2 1 Last Time Last time, we defined formally what an encryption
More informationRobustness for Free in Unconditional Multi-Party Computation
Robustness for Free in Unconditional Multi-Party Computation Martin Hirt and Ueli Maurer ETH Zurich Department of Computer Science {hirt,maurer}@inf.ethz.ch Abstract. We present a very efficient multi-party
More informationOn the Round Complexity of Covert Computation
On the Round Complexity of Covert Computation Vipul Goyal Microsoft Research, India vipul@microsoft.com Abhishek Jain UCLA abhishek@cs.ucla.edu Abstract In STOC 05, von Ahn, Hopper and Langford introduced
More information